There is no digital security like 0 or 1 or insecure or secure. The message of this page is, the more inconvenience one is willing to take and the more time one invests, the more security one can gain.

Just downloading the images in the clear without any verification is the least safe method. On the other hand, how insecure is it? There is for example gpg4win, Firefox Portable and so on. There is no SSL available when downloading those software projects. If you compare how often software gets downloaded and how few times the accompanying signatures are downloaded, very few people do care. Yet, reports of downloads which got compromised by a man-in-the-middle attack (for any project) happen seldom.

Sourceforge.net does not support SSL for downloads.

Viewing the sourceforge download page while logged into sourceforge.net you can see the MD5 and SHA1 hash (provided by sourceforge.net, not Whonix developers) after clicking the i button (View details).

Comparing the hash sums from the SSL protected page and verifying (comparing them) with what was downloaded is safer than no verification at all.

OpenPGP verification (as noted on the Download page) is much more safe and highly recommended.

Building Whonix from source code is the most secure option to obtain Whonix. (Many bonus points for auditing the source code before using it.)

Of course, providing downloadable images over SSL and/or a hidden service hosted by Whonix developers in a physically owned and protected place would be safer. Practically it is difficult to provide SSL protected downloads at all. Many important software projects can only be downloaded in the clear, such as Ubuntu, Debian, Tails, Qubes OS, etc. This is because someone has to pay the bill and SSL (encryption) makes it more expensive. At the moment we don't have any mirror supporting SSL. We're looking for SSL supported mirrors to share the load.

The SSL CA system being flawed in the first place is another story (see SSL).

Having SSL supported mirrors may seem like an oxymoron. The common practice is to say, that mirrors are not to be trusted. Even if the mirror owners were trusted persons, it's still an open question how good their server security is. And even if their server security is good, mirrors are generally also hosted in hosting companies and we can't trust those. However, not all adversaries have all available capabilities. Not all adversaries capable of mounting a man-in-the-middle attack are capable of breaking server security or forcing the hosting company to turn over the keys etc. Users not caring to use verification are still better off downloading from a SSL supported mirror, that works against less sophisticated adversaries. In numbers, this results in fewer users potentially ending up with maliciously altered downloads, so we think this is worth going for.

It would also be safer if the download server would be under full control of the developers and not under control of a big company (hosting provider). But that's not how things work today. Self-hosting is very expensive. (Requires fast internet connection, home user contracts won't be fast enough, many servers, electricity power and physical security (officers).) Even the servers of The Tor Project are not hosted in some developer's home.

Building from source code is also safer, because the developer itself does not have to be trusted. However, note that since Whonix 8, the downloadable images are now verifiable. See also, Trust.

This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.